Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Question on docker
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
shimitar
Guru
Guru


Joined: 23 Nov 2003
Posts: 320
Location: Italy, Torino
PostPosted: Mon Dec 18, 2023 10:35 am    Post subject: Question on docker Reply with quote
Hi all!
i am new to docker usage, but i need to install a few services on my server that are only provided as docker images (i am referring to LibrePhotos) or for which there are no clear or simple instructions on how to install on bare metal.

I see that the containers and the processes inside are all running as "root" (or uid 999) which greatly annoys me because all my other servies are properly constrained in specific users with groups where data needs to be shared. This docker thing does not goes down well with me.

Following the docker gentoo wiki i have created an unpriviledged user in group "docker" and i am using it to start the containers, but still everything runs as root.

I am sure i am doing something wrong here, as it's hard to believe docker stuff all needs root access.

Any insights?
_________________
Willy Gardiol
willy@gardiol.org
Back to top
View user's profile Send private message
spica
Apprentice
Apprentice


Joined: 04 Jun 2021
Posts: 288
PostPosted: Tue Dec 19, 2023 8:41 am    Post subject: Reply with quote
Explore the original Dockerfile utilized in crafting the image and tailor it to meet your specifications.
Additionally, consider supplying a custom UID/GID for use within the container. Keep in mind that
if the image creators did not prioritize specifying privileges within the container, merely assigning
a new UID may not yield the desired outcome.

A little bit about using the same uid/gid inside a container
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21644
PostPosted: Wed Dec 20, 2023 1:54 am    Post subject: Re: Question on docker Reply with quote
shimitar wrote:
I am sure i am doing something wrong here, as it's hard to believe docker stuff all needs root access.

Any insights?
As I understand it, your mistake here is in assuming that Docker is sane or reasonable. If I recall correctly, docker build will default to building an image that runs the contained processes as root unless directed otherwise in the Dockerfile build recipe. Therefore, you get the bad behavior by default. To get the good behavior, you need the authors of the relevant images to Do The Right Thing in specifying a non-root user to run as, and arranging for all relevant files in the image to be accessible in the intended way by the non-root user so picked. As spica alludes, if you only override the uid/gid of the contained process and make no other changes, there is a good chance you will break things. This override might work for simple images where the image filesystem is read-only and permissions are lax. Otherwise, the contained process may be relying on its root uid to enable it to access the files it wants.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy